[solved] Certbot report "Connection refused"

Server
1

I run:

certbot --apache -d www.collstrup.com -d collstrup.com -d nextcloud.collstrup.com -d nc.collstrup.com -d mail.collstrup.com  --test-cert

Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.collstrup.com
tls-sni-01 challenge for collstrup.com
tls-sni-01 challenge for nextcloud.collstrup.com
tls-sni-01 challenge for nc.collstrup.com
tls-sni-01 challenge for mail.collstrup.com

Waiting for verification…
Cleaning up challenges
Failed authorization procedure. nc.collstrup.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, mail.collstrup.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, www.collstrup.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, nextcloud.collstrup.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, collstrup.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: nc.collstrup.com
    Type: connection
    Detail: Connection refused

    Domain: mail.collstrup.com
    Type: connection
    Detail: Connection refused

    Domain: www.collstrup.com
    Type: connection
    Detail: Connection refused

    Domain: nextcloud.collstrup.com
    Type: connection
    Detail: Connection refused

    Domain: collstrup.com
    Type: connection
    Detail: Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Firewall log indicate that ssl traffic is coming in doing the process

Oct 4 15:28:34 centos7-1 kernel: 443-firewalld-logIN=ens9 OUT= MAC=52:54:00:c6:db:74:30:91:8f:2a:83:e2:08:00 SRC=13.58.30.69 DST=77.215.239.148 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=9394 DF PROTO=TCP SPT=41276 DPT=443 WINDOW=26883 RES=0x00 SYN URGP=0

Oct 4 15:28:34 centos7-1 kernel: 443-firewalld-logIN=ens9 OUT= MAC=52:54:00:c6:db:74:30:91:8f:2a:83:e2:08:00 SRC=66.133.109.36 DST=77.215.239.148 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=43474 DF PROTO=TCP SPT=48272 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0

Oct 4 15:28:34 centos7-1 kernel: 443-firewalld-logIN=ens9 OUT= MAC=52:54:00:c6:db:74:30:91:8f:2a:83:e2:08:00 SRC=34.213.106.112 DST=77.215.239.148 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=50959 DF PROTO=TCP SPT=46432 DPT=443 WINDOW=26883 RES=0x00 SYN URGP=0

Oct 4 15:28:34 centos7-1 kernel: 443-firewalld-logIN=ens9 OUT= MAC=52:54:00:c6:db:74:30:91:8f:2a:83:e2:08:00 SRC=52.29.173.72 DST=77.215.239.148 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=18137 DF PROTO=TCP SPT=42464 DPT=443 WINDOW=26883 RES=0x00 SYN URGP=0

System is Centos 7 minimal and public IP is bridged to the ens9 interface.

Using httpd24 and php 7 from SCL. Site is view able from many locations on port 80 (testet with geopeeker.com)

I have successfully used LE and certbot in the past so I am a bit confused by this problem.

/Anders

2

Hi @anderscollstrup,

The TLS-SNI-01 challenge uses port 443, not port 80. Making a connection to your site on port 443 does not appear to work.

For certbot --apache original issuance and renewals, your Apache does not have to be listening on port 443 already, but it needs to be possible to configure it to do so.

3

Hi schoen,

I am not sure I understand your answer. My server should accept 443. Check the firewall log I provided. It logs successful request on 443 (unless I misunderstand the log).

Firewall is open for both http and https

firewall-cmd --zone public --list-all

public (active)
target: default
icmp-block-inversion: no
interfaces: ens9
sources:
services: http https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules

To confirm then I tried to stop firewalld and run certbot but I got the same result.

Apache is currently not configured with ssl … and do not listen to 443. Do I need to change that?

/Anders

4

Problem solved. I did install mod_ssl, but httpd24 need httpd24-mod_ssl.

I was a problem to uninstall mod_ssl since it was needed by certbot. Certbot do not play well with redhat scl.

/Anders

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.